Many organizations remain unprepared to handle a ransomware attack on a holiday or weekend, as they continue to operate with a skeleton crew as the year winds down.
This was one of the findings of a Cybereason survey of 1,203 cybersecurity professionals, which also found holiday and weekend ransomware attacks resulted in greater revenue losses than ransomware attacks that occurred on weekdays.
The threat is also growing, with a third of respondents saying their organization lost more money from a holiday/weekend ransomware attack, up from just 13% of respondents in Cybereason’s 2021 study.
Not-So-Happy Holidays for Cybersecurity
Sam Curry, Cybereason’s chief security officer, explained there are a few reasons for cybersecurity management difficulty during the holidays.
“The first is that some businesses have a seasonality that affects risk—the impact of incidents can go up dramatically for companies in industries like retail during the holidays,” he said.
Curry noted that some businesses “go into the black,” meaning they become profitable, only at the end of the year, and losing a day or two around Black Friday, Cyber Monday or other critical end-of-year days can have the same impact as losing months during the rest of the year.
“The second major consideration is the availability of staff due to inclement weather, planned time off or simply a large number of statutory holidays,” he said.
This isn’t limited to cybersecurity staff, either; it also stretches to include the non-cybersecurity staff that work together with cybersecurity teams to secure and monitor environments as well as respond the incidents and threats in real-time.
“Lastly, metrics tend to be off,” Curry said. “Noise enters the picture, baseline normal behaviors change and so on, making it harder to spot anomalies or tell when deviation occurs and hackers, of course, prey on targets specifically during holidays.”
Melissa Bischoping, director of endpoint security research at Tanium, pointed out the cybersecurity industry is facing unprecedented levels of burnout, and for some, the PTO they take around the holidays may be their first vacation in some time.
“Protect that time off by ensuring that you’ve got well-trained staff ready to respond to an incident before your subject matter experts go on vacation,” she advised. “Invest time in regular incident response tabletops, proactively ensure your incident communications plans are current and well-known through the entire organization.”
Communication is Key
From Bischoping’s perspective, effective, precision communication is the organization’s competitive edge during an incident.
“Ensure that you’ve gone beyond just prevention and detection and are well-prepared and appropriately staffed with cross-trained staff and crystal clear documentation, so your employees can take that essential and valuable time off with their families without worry,” she said.
Mike Parkin, senior technical engineer at Vulcan Cyber, added that this close to the holidays, organizations should already have their schedules set so they know what personnel resources are available and have their contingency plans in place.
“The last round of patches and mitigations should be done,” he said. “Finally, the reminders to staff to be aware of social engineering efforts and phishing attacks should be sent out with another round ready to go right before everyone leaves on break.”
Parkin added that cybersecurity professionals are dealing with environments that are “active” 8:00 a.m. to 5:00 p.m. but that are under threat 24/7/365.
He said finding the resources to keep the SOC operating after hours can be a challenge for any smaller enterprise–which many of the organizations in this study are.
“However, even with limited resources, proper planning and solid communication can soften the blow when an attack comes outside the organization’s normal business hours,” he said.
Parkin said automation and well-designed playbooks combined with a solid risk management program can serve as a force multiplier for a limited staff until the full team can react.
Curry said the biggest problem in security is the division between the security function and the rest of the business.
The business sees security as “the problem for those people over there,” and the security function doesn’t engage in true business preparation and dialogue.
“It’s not even that security necessarily has the answer—the dialogue and discussion itself leads to both a more secure business and better security more in tune with what the business needs,” he explained. “Simply buying the right tools is never enough. But today, many companies still aren’t buying the tools, which exist, for ransomware prevention and protection.”
As the holiday shopping season kicks into high gear, Curry said there are those who are prepared, those who have stepped up their game and then there are the rest—those for whom this year looks like past years.
“Only time and the holidays will tell whether preparations are enough,” he said.
He noted that as in years past, incidents often happen at the end of the year, as with Log4j, SolarWinds and Hafnium a few years ago and as occurs with ransomware at every major holiday break.
“Some people will have done the hard security work during the year and will make it through to 2023 unscathed, while others will find themselves with something worse than coal under the cybersecurity tree,” Curry warned.